Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo vet check only checks target-specific dependencies if build.target is used #579

Open
Nemo157 opened this issue Nov 10, 2023 · 2 comments
Open

cargo vet check only checks target-specific dependencies if build.target is used #579

Nemo157 opened this issue Nov 10, 2023 · 2 comments

Comments

@Nemo157
Copy link

Nemo157 commented Nov 10, 2023

When configuring build.target in ~/.cargo/config.toml or via CARGO_BUILD_TARGET cargo will default to implying --target $CARGO_BUILD_TARGET for all commands, including the cargo metadata call performed by cargo vet. This means that dependencies that are not active for the set target will not be checked.

> cargo vet regenerate exemptions
> cargo vet check --locked
Vetting Succeeded (83 fully audited, 2 partially audited, 26 exempted)
> env -u CARGO_BUILD_TARGET cargo vet check
Vetting Failed!

12 unvetted dependencies:
  android-tzdata:0.1.1 missing ["safe-to-deploy"]
  hermit-abi:0.3.2 missing ["safe-to-deploy"]
  iana-time-zone-haiku:0.1.2 missing ["safe-to-deploy"]
  js-sys:0.3.65 missing ["safe-to-deploy"]
  wasm-bindgen:0.2.88 missing ["safe-to-deploy"]
  wasm-bindgen-backend:0.2.88 missing ["safe-to-deploy"]
  wasm-bindgen-macro:0.2.88 missing ["safe-to-deploy"]
  wasm-bindgen-macro-support:0.2.88 missing ["safe-to-deploy"]
  wasm-bindgen-shared:0.2.88 missing ["safe-to-deploy"]
  winapi-i686-pc-windows-gnu:0.4.0 missing ["safe-to-deploy"]
  winapi-x86_64-pc-windows-gnu:0.4.0 missing ["safe-to-deploy"]
  windows-core:0.50.0 missing ["safe-to-deploy"]

This may be an upstream bug, I don't think build.target should imply --filter-platform on cargo metadata, but I'm not positive.
@Nemo157
Copy link
Author

Nemo157 commented Nov 10, 2023

Yes, upstream bug, but very long-standing so it would be nice if cargo-vet worked around it somehow

rust-lang/cargo#8462

If it's configured through the environment like I do, it could just be unset on the sub-process call. If it's configured through the config file AFAIK there is no way to say "use the default all targets".

@quic-cbusold
Copy link

Sometimes one man's bug can be another one's feature. I was looking for a solution like requested in #63 to restrict dependencies to a specific target (for projects which only ever use a single one), and I found this "issue" which allows me to do that instead of adding manual exceptions. Therefore, I would prefer to keep this behavior for now or add an alternative configuration to enable exactly that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nemo157 @quic-cbusold